[openssl-users] Enable the FIPS mode in the library level
alandean888 at gmail.com
Mon Mar 5 18:55:02 UTC 2018
Thanks a lot Matthias for the suggestion.
I have few follow-up questions below:
On Mon, Mar 5, 2018 at 2:57 AM, Dr. Matthias St. Pierre <
Matthias.St.Pierre at ncp-e.com> wrote:
> On 05.03.2018 10:46, Alan Dean wrote:
> Question 1: Is it even feasible to make the FIPS mode always enabled for
> the whole OpenSSL library (i.e. for both libcrypto and libssl), so that
> most the applications which dynamically linked to libcrypto and libssl will
> be automatically use OpenSSL FIPS mode without the need of changes to add
> the FIPS_mode_set invocation (with some exception such as OpenSSH which may
> still need some fixes). (Assuming from certification's perspective we are
> ok if we may these changes)
> Question 2: If the above idea is feasible, where in the OpenSSL library
> will be the best entry to invoke FIPS_mode_set API, so that we can make the
> whole OpenSSL library always in FIPS mode? Any potebtial issues for this
> Any suggestions will be greatly appreciated.
> The optimal location for inserting the FIPS_mode_set(1) call is probably
> OPENSSL_init() (openssl-1.0.2/crypto/o_fips.c), see code snippet below.
> void OPENSSL_init(void)
> static int done = 0;
> if (done)
> done = 1;
> #ifdef OPENSSL_FIPS
> FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
> # ifndef OPENSSL_NO_DEPRECATED
> # endif
> FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
> FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
> FIPS_mode_set(1); <<< ENABLE FIPS MODE HERE <<<
> #if 0
> fprintf(stderr, "Called OPENSSL_init\n");
Currently OPENSSL_init() is actually invoked from within FIPS_mode_set().
If we put FIPS_mode_set() inside OPENSSL_init, then it makes OPENSSL_init
to call itself recursively. In that case would it be ok to just remove
OPENSSL_init from within FIPS_mode_set?
> However, I am sceptical whether this approach will be accepted, because
> there are (at least) two potential problems:
> * Normally, it is mandatory to check the result of FIPS_mode_set() or
> FIPS_mode() to ensure that the FIPS initialization succeeded. However, an
> application which is not FIPS-aware won't check the result.
Did you mean if FIPS_mode_set is invoked in the library level, then
applications won't be checking the return results of FIPS_mode_set and
could cause problem if FIPS_mode_set didn't finish successfully?
> * It can happen that applications which have their own configuration and
> enable/disable FIPS mode explicitely, call FIPS_mode_set(0) afterwards.
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users